Portfolio Developer Technical

Full-Stack AI/ML Engineer

Data Security as a Product

10Security Pillars 7/10Controls Shipped 27Automated Checks Internal + ExternalScope
Branded Mode
Investor Technical Executive
All Projects

Data Security as a Product

10 Securitypillars
7/10 Controlsshipped
27 Automatedchecks
Internal + External Scope

Why institutions choose evidence over promises

Internal proof (CODA platform)

External offering

How to protect customer information — ten pillars

Each pillar maps to your security framework: what CODA implemented, how it works in code and operations, and why it wins institutional trust. Shipped controls are live on UAT; in-progress items include owners and dates.

10 Protection pillars
7/10 Controls live
27 Automated checks

Encrypt Data

Live on UAT / Production

What we did

Customer and integration data is protected in transit and at rest: HTTPS with HSTS on all internet-facing environments, Fernet encryption for OAuth tokens and API credentials, and PBKDF2 password hashing (replacing legacy MD5).

How we did it

Production and UAT settings enforce SECURE_SSL_REDIRECT, HSTS (1-year preload), and secure session/CSRF cookies. Secrets at rest use shared_core/crypto.py (Fernet via OAUTH_TOKEN_FERNET_KEY). Passwords hash through PBKDF2 with MD5 verify-only fallback so existing users rehash on next login without lockouts.

Why it matters

If traffic is intercepted or a database backup leaks, ciphertext and strong hashes keep customer credentials and integration secrets unreadable — a baseline every institution asks about in vendor reviews.

Evidence

  • TLS 1.2+ via Heroku / PostgreSQL ssl_require=True
  • Fernet-encrypted credential payloads in platform_services
  • Automated questionnaire: encrypt_data pillar graded A

What we sell

We map your encryption posture to questionnaire answers with file-level evidence — not generic policy statements.

Access Control (RBAC)

Live + CI enforced

What we did

Role-based access control is centralized across finance, contributions, contracts, and dashboards — with automated CI checks that block permission regressions.

How we did it

core/permissions.py and accounts/permissions.py define persona gates (staff, finance, investor, student). Views use CODAPermissionMixin and require_* decorators. scripts/rbac_audit_check.py runs on every PR; contract_access.py stays request-free for testable pure predicates.

Why it matters

Least privilege reduces insider risk and satisfies audit questions about who can see payments, member records, and administrative functions.

Evidence

  • RBAC enforcement GitHub workflow
  • RBAC P1.5 audit artifact with coverage status
  • Contract access purity check (HIGH — always fail CI if violated)

What we sell

We document your RBAC matrix, automate drift detection, and produce audit-ready artifacts for institutional due diligence.

Strong Authentication

MFA deployed (grace rollout)

What we did

Staff and superuser accounts require TOTP multi-factor authentication, mandatory email verification in production, and Django's full password validator suite.

How we did it

django-otp with TOTP devices and one-time backup codes. StaffMfaMiddleware gates privileged sessions after login. Enrollment at /accounts/mfa/setup/; verification each session at /accounts/mfa/verify/. CODA_MFA_ENFORCE + optional grace date control rollout on Heroku without lockout surprises.

Why it matters

Administrative accounts are the highest-value targets. MFA and verified email close the gap between 'someone knows a password' and 'someone is authorized.'

Evidence

  • MFA migrations applied on codamakutano UAT
  • 7 automated tests in test_staff_mfa.py
  • Questionnaire: django_otp_wired check passes

What we sell

We implement MFA with enrollment grace periods, backup codes, and middleware enforcement — packaged as a rollout playbook for your staff.

Keep Systems Updated

Phase 5 — tracked roadmap

What we did

Dependencies are pinned and monitored; a phased security plan tracks Django upgrade, pip-audit CI, and dependency CVE response.

How we did it

Poetry lockfile at repo root for reproducible builds. SECURITY_IMPLEMENTATION_PLAN and SECURITY_REMEDIATION docs define P0–P6 phases. pip-audit and gitleaks scheduled for Phase 2 CI. Django 4.2 LTS upgrade planned in Phase 5 with UAT soak.

Why it matters

Known CVEs in EOL frameworks are the fastest path to breach. Institutions expect a visible patch cadence — not 'we'll get to it eventually.'

Evidence

  • Documented upgrade path (Django 3.2 → 4.2 LTS)
  • Questionnaire flags EOL until upgrade completes — honest scoring
  • Heroku dyno receives deploys from controlled CI/CD branch

What we sell

We deliver a dependency CVE program with SLAs and automated scanning — so your security answers include dates and owners, not hand-waving.

Monitor & Log Activity

Domain audit trails live

What we did

Authentication, finance, webhook, and public-access events are logged with structured audit models — designed for review, not silent mutation.

How we did it

LoginHistory tracks sign-ins. FinanceAuditEvent records settlement and webhook actions. WebhookEventRecord stores SHA-256 payload hashes (never raw PINs/OTPs). ContributionPublicAccessLog records token fingerprints and rate-limit events. Heroku captures stdout for centralized log drain.

Why it matters

You cannot respond to incidents you cannot see. Audit trails are how institutions prove 'we knew who did what, when' after the fact.

Evidence

  • finance_core webhook event ledger with idempotency
  • Public link rate limiting + access logging (contributions)
  • Phase 3 roadmap: SecurityEvent model + alerting

What we sell

We map your audit surfaces to compliance checklists and design alerting that matches your operational model.

Backup Data Regularly

Heroku PG + runbooks

What we did

Production database backups via Heroku Postgres, with documented restore procedures and CLI tooling for backup verification.

How we did it

Heroku pg:backups capture on schedule. platform_services management command heroku_list_backups surfaces backup age. scripts/backup/postgres_backup.sh and restore_into_compose_postgres.sh support dev/staging drills. CODA Docker Developer Guide documents quarterly restore expectations.

Why it matters

Ransomware, operator error, and provider outages happen. Tested backups are the difference between a bad day and a business-ending event.

Evidence

  • Heroku Postgres on codamakutano
  • Backup scripts in repo (scripts/backup/)
  • Phase 3: automated backup age alerts planned

What we sell

We document RPO/RTO targets, run restore drills with you, and produce evidence for board and regulator questions.

Use Network Security

Core live — CSRF Phase 2

What we did

CSRF protection on all session-authenticated routes, explicit ALLOWED_HOSTS, X-Frame-Options DENY, and webhook-only CSRF exemptions on an documented allowlist.

How we did it

CsrfViewMiddleware globally enabled. scripts/csrf_exempt_allowlist.txt documents every exempt endpoint (payment webhooks, health probes only). SSRF guards in application/utils.py block private IP ranges on outbound URL validation. Phase 2 removes ~20 legacy finance CSRF exemptions.

Why it matters

Network-layer controls stop session hijacking, clickjacking, and server-side request forgery — common attack paths against Django monoliths.

Evidence

  • manage.py check --deploy passes on staging/production settings
  • Automated CSRF exempt count in security questionnaire
  • Referrer-Policy and nosniff headers in prod

What we sell

We inventory your attack surface, shrink CSRF exemptions to webhooks only, and prove deploy-check compliance in CI.

Data Minimization

Hash-only + retention tools

What we did

Sensitive payloads are not stored when a hash or fingerprint suffices; retention purge commands exist for webhook dead letters and operational logs.

How we did it

WebhookEventRecord: payload_hash + normalized DTO — never raw webhook bodies. Public access logs store SHA-256 token fingerprints, not tokens. purge_webhook_dead_letters management command for retention. REQUIREMENT_INTELLIGENCE_REDACT_SENSITIVE_SOURCE_TEXT flag for AI pipelines.

Why it matters

GDPR and institutional clients ask: 'Do you really need to store that?' Minimization shrinks breach blast radius and simplifies compliance narratives.

Evidence

  • Webhook security model docstring: NEVER stores raw bodies
  • contributions public_security.py token_fingerprint()
  • Phase 4: login history + access log retention scheduling

What we sell

We audit what you store, why, and for how long — then implement retention jobs with legal sign-off.

Compliance

Automated scorecard

What we did

Security posture is measured against ten customer-data protection pillars with automated checks, CI integration, and phased remediation documentation.

How we did it

scripts/security_questionnaire_check.py produces JSON/markdown scorecards mapped to GDPR/SOC-style control areas. GitHub workflow runs on every PR. SECURITY_IMPLEMENTATION_PLAN tracks Phases 0–6 with checkboxes and owners. RBAC and deploy checks feed the compliance pillar grade.

Why it matters

Compliance is not a PDF — it is repeatable evidence. Automation turns annual panic into continuous readiness for vendor reviews and board questions.

Evidence

  • 27 automated checks across 10 pillars
  • docs/audits/SECURITY_BASELINE reports
  • External offering: consultation-led assessment for clients

What we sell

This is the product: we run the same engine on your stack and deliver a scored assessment with remediation phases — what CODA uses internally, sold externally.

Employee Awareness

Training + MFA enrollment

What we did

Staff security culture through academy safety governance, MFA enrollment workflows, and documented security operating procedures — not security as an afterthought.

How we did it

AI Improvement Lab safety checklists and UAT-only banners train staff on production boundaries. MFA setup flow includes backup code handoff and grace period comms. SECURITY_REMEDIATION and IMPLEMENTATION plans are living docs the engineering team executes against.

Why it matters

The weakest link in any system is a person who clicks the wrong link or shares credentials. Awareness turns your team into part of the control, not a bypass.

Evidence

  • Academy safety invariants in cohort YAML
  • Staff MFA enrollment at /accounts/mfa/setup/
  • Phase 4: HR training attestation integration planned

What we sell

We pair technical controls with rollout comms, enrollment playbooks, and staff-ready security summaries institutions can share with boards.

Who this is for

Remember

Book a security assessment consultation

Implementation index

Primary code paths referenced across the ten pillars.

AreaPath
Settings coda_project/coda_settings/prod_settings.py
MFA accounts/views_mfa.py, middleware_staff_mfa.py
Crypto shared_core/crypto.py
Questionnaire scripts/security_questionnaire_check.py
RBAC CI scripts/rbac_audit_check.py

Portfolio Project - 2025